---
sidebar_label: Network options
sidebar_position: 22
description: Manage network options with the Hasura Metadata API
keywords:
  - hasura
  - docs
  - Metadata API
  - API reference
  - network options
  - TLS
  - allowlist
  - TLS allow list
---

# Metadata API Reference: Network Options (v2.0 and above)

## Introduction

Here's the API to modify any `Network` metadata. One of the options is
to manage a `TLS allowlist`.

## TLS allow list

The TLS allow list represents a set of services that are permitted to use
self-signed certificates - primarily intended for use in development and
staging environments, services can be allowlisted by a `host`, and
optionally (service id) `port`.

## add_host_to_tls_allowlist {#metadata-add-host-to-tls-allowlist}

`add_host_to_tls_allowlist` is used to add any string

This API could be supplied with just the hostname in the `args` field of
the request instead of the complete object.

```http
POST /v1/metadata HTTP/1.1
Content-Type: application/json
X-Hasura-Role: admin

{
    "type": "add_host_to_tls_allowlist",
    "args": {
        "host": "graphql.hasura.io",
        "suffix": "4183",
        "permissions": ["self-signed"]
    }
}
```

### Args syntax {#add-host-to-tls-allowlist-syntax}

| Key         | Required | Schema     | Description                                                                                                                                          |
| ----------- | -------- | ---------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- |
| host        | true     | `String`   | the hostname/domain of the endpoint                                                                                                                  |
| suffix      | false    | `String`   | suffix for the service (this is usually reserved for the service port number)                                                                        |
| permissions | false    | `[String]` | Can be only `["self-signed"]` until more permissions are supported. "self-signed" allows self-signed, name mismatches, and non-X509.V3 certificates. |

## drop_host_from_tls_allowlist {#metadata-drop-host-from-tls-allowlist}

`drop_host_from_tls_allowlist` is used to drop an endpoint from the TLS allow list.

```http
POST /v1/metadata HTTP/1.1
Content-Type: application/json
X-Hasura-Role: admin

{
    "type": "drop_host_from_tls_allowlist",
    "args": {
        "host": "graphql.hasura.io",
        "suffix": "4183"
    }
}
```

### Args syntax {#drop-host-from-tls-allowlist-syntax}

| Key    | Required | Schema   | Description                                                                     |
| ----   | -------- | -------- | ------------------------------------------------------------------------------- |
| host   | true     | `String` | the hostname/domain of the endpoint that was previously added to the allow list |
| suffix | false    | `String` | suffix for the service (this is usually reserved for the service port number)   |
